Friday, April 2, 2004

ThinkPad security

Last month I bought a ThinkPad T40. I didn’t pay much attention to the item listing at eBay that talked about the embedded security system, but last night had a few minutes to kill and checked it out.

The chip is a “security subsystem” — it can replace your Windows login so that if you don’t authenticate to the chip, you don’t get access to the OS. It will also integrate with biometric devices (like a fingerprint scanner) or a smart card reader — so that, when combined with a passkey, it creates a far more secure system.

So far, nothing really revolutionary. It’s the one-click file encryption system that really blew me away: I can right-click on a folder on my hard drive, select “Protect”, and IBM’s “File and Folder Encryption” app will encrypt the folder and its contents. If you’re not authenticated to the chip, you can’t view the files. Result? I don’t care how public a network you’re on — if that chip don’t want you seeing the files, you don’t see the files.

There are other apps that do this, of course. Years ago I used PGPDisk to do this. But as a hardware-based system that’s fully integrated with the OS and the laptop itself, this is a far more secure system. And it couldn’t be easier to use.

IBM was the first laptop manufacturer to produce a fully Trusted Computer Group compliant machine. And I’m impressed — this is impressive for end-user security. (One note: the Password Manager that’s part of this security package is a nice idea — it’ll store all your passwords on the chip, letting you simply activate the chip and it’ll fill in any password for you. It’ll even generate random passwords for enhanced security. Sadly, the Password Manager doesn’t work with Mozilla, my browser of choice. And I had some issues with it working in IE. So I’m holding off on investing any time on that for right now.)